talking with HakLuke (Hacker and creator of Hakrawler and other tools)
Key Takeaways
HakLuke discusses his background in web development and cybersecurity, and showcases his tools such as Hakrawler, a web crawler that automates the process of discovering web application features, and other tools like Burp Suite and Go, highlighting the importance of automation and efficiency in cybersecurity tasks, and the value of open-source development and collaboration in the hacking community
Full Transcript
so now let's step forward and actually install one of these tools the first one we're looking at is a tool called hack roller from a amazing dude named hack loop luke go ahead and tell us more about what hack roller is a crawler is a web crawler so basically you feed it um a website or many websites and it will navigate to those websites and then it will find all of the links in that page and then it will navigate to those links and it will navigate to the links in those pages and those pages and those pages um to as many levels down as you specify so um as a as a hacker i guess um one of the things that you're looking for is um just coverage over web applications and making sure you you can cover things or discover things um with the least amount of manual work possible because it's quite uh it's quite a daunting task to like discover every single uh or or feature in in a web application manually so uh this just kind of automates that process um you know decently and uh it also i wanted it to be fast because basically that means that you can use it over many different websites so if you're for example hacking on a target that has i don't know like a hundred different web servers then you can just pass those hundred web servers straight to hack ruler and it will crawl through all of them and then you can kind of just scroll through the um the the javascript files that it found or or any of the links that it found and look for any interesting parameters or whatever that it discovers and uh use those to start your hacking process so yeah that's pretty much what it's for yeah and i was testing it out before this call and it's just it's insanely fast i mean it's like boom it's there like oh my gosh like did it really do it let me go double check yeah no it did everything um now just real quick i mean people may not know who you are who are you what are you about yeah okay well uh i come from a web development background so um i was you know coding websites and to develop developing websites and different web apps basically and i've always been interested in hacking so i eventually switched over to the dark side and um i got a job as a penetration tester and uh yeah i i i did that for a while and then i started getting really interested in bug bounties just because you know i wanted to keep hacking at night because it's you know a big passion of mine obviously and uh yeah so i started doing bug bounties and i got really involved in that and um and and then eventually i actually ended up working for bug crowd uh as as like a manager there um basically hiring and training a team of triages there uh and after that i decided to start my own cyber security consultancy so for the last probably uh what uh 13 months now just over a year uh i've been running my consultancy called hacksec um we do kind of penetration testing and things like that and also um recently started doing hacker content so i noticed that you know going through um a bunch of different cyber security organizations i realized that they're pretty much all bad at content marketing so i decided to try and fix that problem by basically offering a service to create really good cyber security content for different cyber security organizations and um that's been going really well too so amazing so like you are you're on your own now like you're your own boss you don't work for anyone right now no i don't work for anyone no pick my own hours all that um which is uh really handy at the moment as you know because i've got a second second child on the way you know all about that oh yeah and uh and yeah no it's just like uh it's it's kind of a decision i made uh to go out on my own um mostly for the flexibility and the freedom um and it's been it's been really cool i've learned a lot so that's i mean i love hearing stories the facts like i made the same job myself it's a scary thing but it's also like the most fun thing in the world gives you so much freedom and you feel like a boss because you are the boss and it's awesome um so you've been you've been on your own for how long now uh i've been totally on my own for yeah like just over a year just every year and uh yeah you're so right you know it it offers you a lot of freedom um but also i think naturally you find a lot more meaning in your work because um everything that you do is completely for yourself you know like you really are inspired to go above and beyond in the things that you do and the the if you provide services you know the services you provide or the product you're creating or whatever you're doing um you really are inspired to to go above and beyond and make that product good because you're the only one that reaps the benefits whereas you know when you're working for someone else at least i found that um i i i want to do my job well obviously but but it's not quite the same because you're always um you're always gonna you know earn like the same salary or they might off your pay rise or whatever but the the incentive is not as tangible when you're working for someone else as it is um working for yourself so yeah it's definitely different because i mean the the stakes are different like if you're working for a company if you do a good job that company does well their name is lifted up and if you do a terrible job it doesn't really affect you either because their name is brought down a bit like you're kind of covered but like when it's on your own thing it's like everything you do reflects on you yeah and when you do a good job it's it's you it's you doing a good job not anyone else um yeah so anyway so you you make these tools like hack crawler to help you do what you do um i'm assuming right yes um so why why make this tool because they're i i know i've looked around there are other tools that do um you know sub domain listing they look through things uh some of the ones are like you know turbo lister and um get all urls so why make your own uh i always you know some sometimes i i make my own tools that you know i usually don't spend more than a couple of days making a tool um or even like one day but it's usually just to scratch my own itch as they say so like i'll be doing some particular task and i just don't know of a good way to do that or an effective way to do that so i just write a quick girling tool um to do it for me um and sometimes uh after i make it i'll post about it on twitter or whatever and someone will come back and be like oh this this other person's tool already does this and i'm like well if i knew that that existed i wouldn't have done it myself you know i would have just used that um so so really like um yeah it's it's more of a it's more of a convenience thing for me like if i can if i can find any task i do regularly that is um you know could be automated um without too much too much time investment then then i'll basically write a tool for it so it's it's basically being lazy you know it's just automating things that uh that i that i do repetitively or that are that are not particularly uh fun to do or whatever if i can automate that i will that's that's basically it and that's the beauty of coding in my opinion you know that's the that's the primary use case for coding is automating things that you don't want to do manually or things that computers can do better than humans yeah i mean it's i know you don't have to know like you don't have to be a coder like yourself to be a hacker or do bug bounty but being able to code your own tools like this to automate things certainly makes you better and it's certainly an asset so i wish i knew more coding um yeah i'm curious why why not python why goling are you just more comfortable with it or is it actually faster uh so i i knew python before i knew girling um but yeah ultimately you know golang has native concurrency and that's the main reason that i use it um also you know because it's a compiled language it's just a bit faster but you know it really depends um you can certainly write the same tool in python and golang and the girling one might be slower if you don't code it in a way that is particularly effective or efficient so it just it just really depends um but yeah i just uh i i can write in python as well um quite well but but i end up writing everything and going these days just because i don't know i just like it being compiled i like my tools to be compiled and i just really like go laying as a language um but yeah the main thing is his concurrency that's what keeps me with golang yeah it's just just faster and a lot of the things that i do like a lot of the things that i code i code them because i want to do them over a bunch of different targets or or something like that so um being being concurrent is like really important i guess yeah actually most people i guess when they when they jump in and they try a tool um they're running it against like one url like oh that was cool that was fun but like you're doing this yeah against you know you might be doing a bug bounty and you're going against a bunch of urls a bunch of sub domains and everything or you're doing an entire company that has a bunch of different urls you got to just like bam set it forget it let it run quickly while you're doing something else is that kind of the routine for you pretty much pretty much yeah and you know bug bounty automation has been a love of mine for years now many years um although in in recent times like i haven't been doing many bug bounties since i started hacksec um because i've been kind of fulfilling my uh my hacking um needs with uh you know with uh penetration testing and stuff but i love how you describe it like a like a drug you're like i wasn't getting enough during the day with my regular jobs i had to go home and hit it but now i'm a regular job it's really fulfilling me i'm good that's which hacking is kind of exactly that's exactly how i feel actually you know it's like yeah it's just this i don't know it's just rush with hacking you know you find a good vulnerability and there's just no there's no better feeling you know it's it's really good so and now that you're doing pen testing which i mean i know there's a there's a lot of overlap between bug bounty and pin testing but for you like what's the what's the main difference uh and what do you get more of a kick out of nowadays well actually i get more of a kick out of bug bounties and and always have um the difference is the incentive model so um when you do a penetration test whether you do it uh with your own consultancy or you're a freelancer or you work for someone else um the way that it's billed and the way that you get paid is for your time right so whether you find uh in a penetration test whether you find a bunch of critical vulnerabilities and tear the app apart or or whatever you're hacking what no matter how well you do you get paid the same um and you know there's more to life than money of course um but uh there's no better rush than on a bug bounty finding a good critical vulnerability and and getting like a five or ten thousand dollar payout for for that um and something about that incentive model where you're getting paid for providing the best value um per bug is is really kind of inspiring and um it just makes me want to want to hack on bug bounces more it's more addictive i think that's that's what it is you know it's like uh yeah i don't know like like with a penetration test i guess the goal is to provide coverage you know um usually customers say you're testing a web application which is like the bread and butter of penetration testing um the customer is really concerned with you having tested all the functionality and providing the most value by providing the most coverage on the application whereas when you're doing bug bounties you're you know that the application's been covered a bunch of times before by other people um so your value really comes in by digging deep and focusing on on functionality at a very um kind of uh you know micro level and and really digging into the details and trying to find um bugs that are quite technical um so yeah there's this there's something really cool about that yeah yeah i totally see that yeah cause you when you get hired by someone to you know test their application you're not always going to find something novel or amazing it might just be a typical thing especially if you're really good at automating it's probably gonna be like a just another wednesday you know like when you're just running a test found the same thing that you found on the other guys thing because everyone does the same thing i mean is that kind of how it is is pin testing pretty repetitive it is pretty repetitive yeah um you know obviously every application every every target that you test is different uh and there are different types of tests you know there's like web applications or you can do internal networks or external infrastructure or you can do you know mobile apps or um even you know i've done a few like kiosks like uh you know like in fast food restaurants for you all of things um so that you know there's a bit of um it's a bit of fun there but ultimately like most of the tests i do are web applications and um most of the actual testing i'm doing is is pretty standard when i'm doing penetration tests so i do like doing bug bounties because you kind of get more freedom over what you attack so if you see an interesting target you're not like well uh you know that's not really um if you see an interesting target you can attack it as long as it's in scope of the program whereas with a penetration test um you know typically you've got a narrower scope and and you uh you have to focus on that and um you know i don't know it's just different it's just different it's really different i totally okay i find it hard to explain uh but for some reason bug bounties are just far more addictive for me at least yeah but it it does sound like bug bounty is really really hard to sustain which is why you know a father like yourself will go for pen testing because it's it's more steady and people need those tests and uh um yeah now do you i'm imagining you probably use all the same tools that you built for automating bug bounty to do your pin testing yes uh yeah i do i do use uh use my own tools a lot um and pretty much you know most of my pen testing especially if i'm dealing with web applications is just burp suite um or kaido or one of the you know zap proxy or one of those alternatives um but yeah just basically a good proxy where you can view and edit http requests and um you know everything else is is basically um convenience so you know um any tools that i write beyond that i just added convenience i suppose yeah excellent actually now how many i was looking at some of the things like i was trying to do some of the um the chaining training it with um was it hack trails that you you made as well uh that keys in with security trails i was trying to get that going i'm like i don't have enough time um so how many tools have you written oh i don't know uh i mean it's great so almost all of them are open source and and i typically i like to just open source everything um but i'll just have a look at my github profile so if you want to look at it it's github.com hacklic but hack doesn't have a c so h-a-k-l-e-k-e so i've got 98 repositories here but i think a bunch of them will be forks rather than actual things that i've i've coded yeah i'm i'm not sure i'm i'm not going to go through and count them but quite quite a few maybe like i don't know 20 something like that that i've actually released and uh yeah i've got some others that are um i want to release them but i i just think you know i kind of want to polish them a bit before i release them because otherwise i'll release them and nobody will understand how to use it and you know it might be a bit buggy and whenever i say i want to get just at least get it to a bit of a minimum standard before i release it but yeah there's some cool stuff coming out soon oh so i'm excited about that and that's and it's also highly appreciated when you when you actually make sure it works and i was testing out like i tried every installation method that you mentioned on your on your uh github which having multiple is amazing um so real quick just for people watching how can we install this hack crawler tool yeah so the installation instructions are on the repository in the in their readme file um and if you just go to github.com click slash hack crawler it's all there you can install it through um just using go if you install go on your computer you can do it that way there's a docker install um and also if you're using kali linux you can use apt as well but the apps version is apparently out of date currently so i'd recommend if you if you are happy to use any of those methods i recommend using the go one because uh it will mean that you'll have the most up-to-date version installed okay perfect awesome now i did have one thing though on when i was trying out docker it seemed the only image available on docker hub was for arm architecture and not amd uh okay i'll have to fix that yeah so i'm gonna put a pull request in or something just i got a bug here buddy yeah yeah no otherwise no i so i just i skipped that i just built it in a docking container the build way and which works great yeah and i prefer a docker it's so much easier yeah it is yeah i actually didn't put the docker stuff in someone else someone else um did that through a pull request say uh yeah i'll have to check it out i don't even know how to make uh how to add something to docker hub i don't even know oh yeah it's actually i think i have a video on it somewhere i actually i don't think i do but yeah if you need help with that let me know um i've done it a few times yeah sure um awesome always luke this has been awesome i uh i loved your tool i love the the hacker mindset of just going out there to make your own tool to do something to automate i mean you said it was lazy sure but you still coded something which i think is not lazy at all but it it is cool that you're like okay i could i could go through and do all this work manually do urls or make it do something i don't want it to do or try out old tools and sure you could have you could have really found another tool you could have put the work into google something but instead you're like you know what i'm just going to make my own thing which i think is like the coolest thing ever and also you're adding to the community people can hack better they can learn more things by using your tools so um thank you for doing that it's awesome oh it's so fun i i really enjoy it yeah it's uh it's uh you know partly selfish but i think it's good to open source everything you create as well and just you know make sure that that other people are learning from your learning as well you know everything that you give out to the universe comes back tenfold so um you know go for it and and i think i think too with with github you know a lot of people that i i speak to about this stuff they're afraid to release their code because they think it's going to get picked to pieces um and it's the same with writing blogs releasing videos um anything like that you know people are just so scared to start and i always say like just do it just start um nobody nobody cares nobody cares if it sucks um you know and you know maybe there'll be one or two people always that kind of a negative um towards what you're doing but in the end um it doesn't matter as long as you're as long as your heart's in the right place and you're releasing you're you're you know being open with the things that you're creating i think people will always be the majority of people will always appreciate what you're doing and uh yeah and i don't need to tell you this because uh you obviously do this uh all the time um but yeah i'm sure i'm sure you encounter similar things um with people messaging like that oh yeah and then that's yeah and it's that's so well said and i love that you said that because people need to understand you need you just have to put your your story out there put yourself out there um it's not gonna be perfect and even if it's as perfect as you think okay you think it's like the best thing ever someone's gonna pick you apart someone's going to do it and i know for longest time like i'm like i was like i never put anything on github i'm like you know it helps for coders i'm not really a coder i just started doing random stuff and you know don't look at my github by the way it's just full of garbage but i just put myself out there just put things out there it's i think it's more about the ideas like sure someone could come in with the main amazing coding skills and tear me apart and make it way better than what i did but it's the ideas that i think will stand and can be you know manipulated and made better um but anyways and that does happen that does happen like a lot of the tools i make um are an idea literally just just an iteration of an idea and and people come along and either create their own tool that does the same thing better which is awesome you know like i'm all for it or they make a poor request to mine and make my tool better um but you know that's that's what the hacking community is all about too you know um even even in the early stages of of hacking collaboration was how we moved forward and it and it always will be how we move forward and one of my favorite quotes is that like um hacking is built on ideas right and and ideas are only useful if we share them with other people and we're kind of collaborating with each other so i think you know github is just like the way to do that for coders um but of course you know making videos is another way to do that um whatever you know the more ways you can put your ideas out there the better i think you know excellent encourage everyone to do it very well said i know i just so people can find you where can they look you up and learn more about hack luke okay well uh seeing as i'm guessing this will be on youtube um uh you can find me i actually have a youtube channel although i'm a bit slack on it to be honest but it's youtube.com hacklick h-a-k-l-u-k-e but you can also find me um mostly where i'm most active is on twitter so twitter.com hacklic uh you can also find my website hackloop.com which has links to everywhere so maybe that's the best avenue um but yeah that's that's pretty much it and also real quick how is it just you right now with your company or do you have a team are you looking to hire what's the situation right now uh i have a bunch of contractors so i haven't hired anyone full time but i work with maybe um you know rotating group of you know 10 to 15 um subcontractors um and yeah it's it's it's really it's really cool like i like i like working with people um you know i like that i like the work we're doing like feeling like we're making a difference um but yeah that's that's pretty much where i'm at at the moment and there's just a lot of a lot of sending emails oh yeah it's it's amazing like you think when you make a company like oh i'm just going to be doing all this fun stuff no it's mainly admin [Music] yeah i know like that doesn't it's mainly like i i most of my what i do is not recording youtube videos it's emailing managing people and all this and then maybe like for 20 minutes i get to record something like that's just how it is um now you alluded to that you're going to have some training for the hacking community you said video content rather was it just content or video content yeah yeah yeah uh you know i just create videos on youtube every now and then um to be honest i i haven't done it for a while and and i release maybe one video every two or three months um but but yeah it's it's something that that i i kind of do every now and then um but yeah probably the best the best place to follow me would be on twitter um if you're looking for a kind of regular updates yeah well awesome well luca i'm gonna leave it here thanks for coming on and uh everybody you want to follow luke check them out you definitely should all the links below just go do it
Original Description
Link to Youtube Video: https://youtu.be/mYCyZgAv_zE
READY TO LEARN??
---------------------------------------------------
-Learn Python: https://bit.ly/3rzZjzz
-Get your CCNA: https://bit.ly/nc-ccna
FOLLOW ME EVERYWHERE
---------------------------------------------------
Instagram: https://www.instagram.com/networkchuck/
Twitter: https://twitter.com/networkchuck
Facebook: https://www.facebook.com/NetworkChuck/
Join the Discord server: http://bit.ly/nc-discord
AFFILIATES & REFERRALS
---------------------------------------------------
(GEAR I USE...STUFF I RECOMMEND)
My network gear: https://geni.us/L6wyIUj
Amazon Affiliate Store: https://www.amazon.com/shop/networkchuck
Buy a Raspberry Pi: https://geni.us/aBeqAL
#Hacking #Linux #IT
Watch on YouTube ↗
(saves to browser)
Sign in to unlock AI tutor explanation · ⚡30
Playlist
Uploads from NetworkChuck (2) · NetworkChuck (2) · 17 of 37
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
▶
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
how to NOT be a hacking noob in 2022 // ft. John Hammond
NetworkChuck (2)
noobs Q&A with NetworkChuck and Cameron
NetworkChuck (2)
He put all his money in NFTs and crypto // ft. Knox Hutchinson
NetworkChuck (2)
why David Bombal became a hacker
NetworkChuck (2)
How to go from a Hacking noob to a John Hammond
NetworkChuck (2)
LINUX saved his life! // ft. Shawn Powers
NetworkChuck (2)
Do I need to learn coding to be a Hacker?
NetworkChuck (2)
The best Linux distro to learn to become a hacker
NetworkChuck (2)
What skills do I need to start hacking??
NetworkChuck (2)
Does knowing networking make hacking easier??
NetworkChuck (2)
What is a hacking CTF?
NetworkChuck (2)
What does a threat analyst do?
NetworkChuck (2)
Do CTFs prepare you to be hacker?
NetworkChuck (2)
Ed Sheeran or Seth Rogen?
NetworkChuck (2)
The first thing to do when learning hacking
NetworkChuck (2)
Cheating is okay (As long as you are learning)
NetworkChuck (2)
talking with HakLuke (Hacker and creator of Hakrawler and other tools)
NetworkChuck (2)
How to get a job in IT (according to the experts)
NetworkChuck (2)
Home Assistant made their own Alexa!!
NetworkChuck (2)
Is the NEW CompTIA A+ Exam Worth It? (220-1201 and 220-1202)
NetworkChuck (2)
How I Accidentally Created a Viral Meme Coin
NetworkChuck (2)
How I handle multiple Python Versions (pyenv)
NetworkChuck (2)
how to host Open WebUI locally (self-hosted AI Hub)
NetworkChuck (2)
Turn Open WebUI into a real website (Domain + SSL)
NetworkChuck (2)
How to Run n8n Locally (Full On-Premise Setup Tutorial)
NetworkChuck (2)
This Man Taught Me Everything I Know (Jeremy Cioara interview)
NetworkChuck (2)
The AI Attack Blueprint (Interview with Jason Haddix)
NetworkChuck
The Telos Method Explained (ft. Daniel Miessler)
NetworkChuck
How Long Do Network Engineers Have Left?
NetworkChuck
Cisco's Certification Director Explains the Future of CCNA
NetworkChuck
From Engineer to YouTube Pioneer (David Bombal's Story)
NetworkChuck
They’re Teaching AI to Run the Data Center. Here’s How.
NetworkChuck
Dark Web Expert Explains How He Infiltrates Cybercrime Forums
NetworkChuck
Interviewing The Leader behind one of the Most Secretive Cybercrime Teams
NetworkChuck
Scam Researcher shows how he tricks scammers with AI
NetworkChuck
He Hunts Malware for a living. Here's what he's most afraid of
NetworkChuck
Talk to Claude on 3CX Phone System Tutorial (Full Setup)
NetworkChuck
More on: Tool Use & Function Calling
View skill →Related AI Lessons
⚡
⚡
⚡
⚡
eCPPTv3 Review
Medium · Cybersecurity
Next-Gen Endpoint Protection Software: Securing Remote Employees Against Modern Cyber Threats
Medium · Cybersecurity
Understanding NAT (Network Address Translation): How Multiple Devices Share a Single Public IP…
Medium · Cybersecurity
Why the EC-Council 312-41 Practice Test Is Essential for Certification Success
Dev.to AI
🎓
Tutor Explanation
DeepCamp AI